# From the 2010 MIT Spam Conference "best student paper"
# "Detecting Gray in Black and White"
# by Christian Rossow, Thomas Czerwinski, Christian J. Dietrich (all students)
# http://bit.ly/Detecting_Gray_in_Black_and_White (PDF)
#
# The paper evaluates very similar methodology to the S25R concepts any my own
# tinkering within this space (of searching for dynamic-type names in rDNS).
# It cleanses itself with some white rDNS searches that might be interesting.
# Named RCD for the paper's authors but the rules and regex's are mine.

header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i
header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i
# should be fully overlapped and eclipsed by __RDNS_STATIC
header __RCD_RDNS_STATIC_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*static/i
header __RCD_RDNS_STATIC X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bstatics?[^a-z]/i
# Based on the paper's results, OB shouldn't hit much
header __RCD_RDNS_OB_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*outbound/i
header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i
header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i

meta RCD_RDNS_SERVER __RCD_RDNS_MX || __RCD_RDNS_SMTP || __RCD_RDNS_MTA || __RCD_RDNS_STATIC || __RCD_RDNS_OB || __RCD_RDNS_MAIL
tflags RCD_RDNS_SERVER nice nopublish
meta RCD_RDNS_SERVER_MESSY __RCD_RDNS_MX_MESSY_MESSY || __RCD_RDNS_SMTP_MESSY || __RCD_RDNS_MTA_MESSY || __RCD_RDNS_STATIC_MESSY || __RCD_RDNS_OB_MESSY || __RCD_RDNS_MAIL_MESSY
tflags RCD_RDNS_SERVER_MESSY nice nopublish

# expected to be fully overlapped and eclipsed by __RDNS_INDICATOR_TYPE
header __RCD_RDNS_DIAL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dial/i
header __RCD_RDNS_DIAL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bdial(?:ing?)?s?[^a-z]/i
# expected to be near identical to __RDNS_INDICATOR_DYN
#GRADUATED to khop-dynamic# header __RCD_RDNS_DYN_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*dyn/i
header __RCD_RDNS_DYN X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bdyna?(?:mic)?s?[^a-z]/i
header __RCD_RDNS_PROXY_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*proxy/i
header __RCD_RDNS_PROXY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bprox(?:y(?:ing)?|ie[ds])[^a-z]/i
# should be superset of __RDNS_DYNAMIC_ASAHI
#GRADUATED to khop-dynamic# header __RCD_RDNS_PPP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppp/i
header __RCD_RDNS_PPP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bppp[^a-z]/i
#GRADUATED to khop-dynamic# header __RCD_RDNS_PPOE_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*ppoe/i
header __RCD_RDNS_PPOE X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bp?ppoe[^a-z]/i

meta RCD_RDNS_DYNAMIC_MESSY __RCD_RDNS_DIAL_MESSY || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PROXY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY
tflags RCD_RDNS_DYNAMIC_MESSY nopublish
meta RCD_RDNS_DYNAMIC __RCD_RDNS_DIAL_MESSY || __RCD_RDNS_DYN_MESSY || __RCD_RDNS_PROXY_MESSY || __RCD_RDNS_PPP_MESSY || __RCD_RDNS_PPOE_MESSY
tflags RCD_RDNS_DYNAMIC nopublish
meta RCD_RDNS_DYNAMIC_CLEAN RCD_RDNS_DYNAMIC_MESSY && !RCD_RDNS_SERVER_MESSY
tflags RCD_RDNS_DYNAMIC_CLEAN nopublish